LinuxQuestions.org
Go Job Hunting at the LQ Job Marketplace
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices

Reply
 
Search this Thread
Old 02-26-2010, 11:16 AM   #1
vonedaddy
Member
 
Registered: Aug 2004
Location: Philadelphia,PA
Posts: 177

Rep: Reputation: 17
IPTABLES frustration


I am fairly new to playing with iptables although I have been using linux for a couple years. Can someone please help me here?

I have port 8662 open on my router forwarding to my linux server. I want to allow ssh connections from a certain IP address to come in on 8662 and be forward to port 22 on eth1 on my linux server.

This is the iptables command I have used without any luck:

iptables -A INPUT -i eth1 -p tcp -s 1.1.1.1 --sport 8662 --dport 22 -j ACCEPT

(ip address replaced for obvious reasons)

From what I have read this SHOULD do it, although traffic is still blocked.

Anyone?
 
Old 02-26-2010, 11:35 AM   #2
Hangdog42
LQ Veteran
 
Registered: Feb 2003
Location: Maryland
Distribution: Slackware
Posts: 7,778
Blog Entries: 1

Rep: Reputation: 412Reputation: 412Reputation: 412Reputation: 412Reputation: 412
Quote:
--sport 8662
I think you're confusing input ports and output ports. Just because your router is receiving SSH on port 8662 doesn't mean that it will forward from that port. If you eliminate this, it will probably work. Besides, I don't think that locking down the source port really gets you much from a security perspective.
 
Old 02-26-2010, 11:38 AM   #3
vonedaddy
Member
 
Registered: Aug 2004
Location: Philadelphia,PA
Posts: 177

Original Poster
Rep: Reputation: 17
I am not sure I am following. Any incoming ssh connections on the router will be forwarded to the box on port 8862. Do I not have to tell my linux machine that the source port will be 8662?

Thanks for answering by the way!
 
Old 02-26-2010, 11:58 AM   #4
Hangdog42
LQ Veteran
 
Registered: Feb 2003
Location: Maryland
Distribution: Slackware
Posts: 7,778
Blog Entries: 1

Rep: Reputation: 412Reputation: 412Reputation: 412Reputation: 412Reputation: 412
I may be a touch confused as well. I'm assuming this rule is running on your SSH server box, so the following is based on that assumption. If that is wrong, I'll need to revise things a bit.

Quote:
ptables -A INPUT -i eth1 -p tcp -s 1.1.1.1 --sport 8662 --dport 22 -j ACCEPT
OK, let me break down my understanding of this rule. Essentially it is saying that it will accept any packet arriving from port 8662 on 1.1.1.1 AND is heading for port 22 on this box (assuming this rule is running on the SSH box). That is making an assumption about what your router is doing with the packets arriving on port 8662. Assume a remote SSH client is trying to establish a connection. They would aim for your external IP address and port 8662. However, the client would not be SENDING from port 8662. It could use whatever port is available.

So essentially, by locking down the source port, you're limiting yourself to connections that just happen to originate from port 8662, unless you've also taken steps to make sure they originate from there. And to be honest, there are much better ways of locking down SSH access than specifying source ports.
 
Old 02-26-2010, 12:44 PM   #5
vonedaddy
Member
 
Registered: Aug 2004
Location: Philadelphia,PA
Posts: 177

Original Poster
Rep: Reputation: 17
Ok, now I have a MUCH better understanding of what I am doing here. Thank you so much for your time!
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
GCONF Frustration! GazL Slackware 7 08-22-2008 06:57 PM
samba frustration solar1951 Linux - Networking 9 07-18-2007 05:04 AM
iptables v1.2.9: Unknown arg `/sbin/iptables' Try `iptables -h' or 'iptables --help' Niceman2005 Linux - Security 4 12-29-2005 08:20 PM
Ipod frustration. drbroccoli Linux - Hardware 1 07-27-2005 02:49 PM
SAMBA frustration Riptide Linux - Software 2 12-14-2002 11:14 PM


All times are GMT -5. The time now is 10:30 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration